Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert #629

Closed
upr-kmd opened this issue Dec 14, 2023 · 2 comments · Fixed by #780
Closed

ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert #629

upr-kmd opened this issue Dec 14, 2023 · 2 comments · Fixed by #780
Assignees
@svghadi
Labels
kind/enhancement New feature or request

Comments

@upr-kmd
Copy link

upr-kmd commented Dec 14, 2023

Is your feature request related to a problem? Please describe.
ArgoCD object doesn't use argocd-server-tls secret in openshift-gitops namespace for the openshift-gitops-server route.
Currently the TLS certificate has to be embedded inside the ArgoCD CR to make it deploy a TLS cert for the openshift-gitops-server route. This is counterproductive. Openshift-gitops operator should always use secrets instead of embedded certificates.

Describe the solution you'd like
The current setup according to the openshift-gitops documentation is:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          certificate: |
            -----BEGIN CERTIFICATE-----
            ---                         <======= Add the custom-cert here
            -----END CERTIFICATE-----
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            ---                        <======= Add the key here
            -----END RSA PRIVATE KEY-----
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Instead, it should be:

$ oc edit argocd/openshift-gitops

 server:
      [...]
      route:
        enabled: true
        tls:
          secret: <secret-name>
          insecureEdgeTerminationPolicy: Redirect
          termination: reencrypt
  [...]

Describe alternatives you've considered
N/A

Additional context
N/A
@ctrought
Copy link

OCP 4.16 is supposed to have a new field added to Route API "externalCertificate". I don't know the exact design details, but I assume the intention is to allow referencing a secret natively. Again assuming this is implemented, ArgoCD should be able to easily expose the field in the spec.server.route.tls.externalCertificate,

https://docs.openshift.com/container-platform/4.16/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls-externalcertificate

For now we've been overcoming this by leveraging either cert-manager combined with cert-manager routes and configuring the cert via annotations.
https://github.com/cert-manager/openshift-routes

The other option, and probably more stable would be simply using the ingress in ArgoCD CR as a means for configuring the route which does let you specify the TLS secret and OCP will generate the route + embed the certificate automatically.

@leiicamundi leiicamundi mentioned this issue Jun 4, 2024
Closed
6 tasks
@svghadi svghadi added the kind/enhancement New feature or request label Aug 27, 2024
@anandf
Copy link
Member

anandf commented Sep 25, 2024

ArgoCD operator should work with older versions of OCP as well. So it may not be a good idea to depend on the latest OCP 4.16 feature for the implementation.

@svghadi svghadi self-assigned this Oct 25, 2024
@svghadi svghadi mentioned this issue Oct 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@svghadi svghadi

Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Support use of secrets for Route tls data svghadi/gitops-operator
4 participants
@anandf @upr-kmd @svghadi @ctrought